Search, top, count inside a transaction

emaccaferri · ‎07-23-2013

Hi!
I would like to know the frequency of each value of a certain field inside a transaction, for example:
my event after transaction (mvlist=t) are

23/07/2013 17:09 userdi1 value1
                 userid1 value2
                 userid1 value1
                 userid1 value3
                 userid1 value2
                 userid1 value1



23/07/2013 14:09 userid2 value2
                     userid2 value2
                     userid2 value2
                     userid2 value3
                     userid2 value2
                     userid2 value3

I wish to get the result:

23/07/2013 17:09 userdi1 value1 3
                         value2 2
                         value3 1

23/07/2013 14:09 userid2 value2 4
                         value3 2

I think to need transaction because in my log I have more than one "event" (section) for the same user.
This search

 index=ing sourcetype=callcenter | transaction maxpause=30m cif mvlist=t | stats count(value) by value

doesn't work.
My impression is that top or something similar inside a transaction without breakink it it impossible.
Any suggestion?
Thanks for your time

emaccaferri · ‎07-24-2013

Can be in this way, the important thing is count number of event with that value

ftk · ‎07-23-2013

Since the transaction command groups events based on the common identifier and then basically creates a new event containing all of the transaction's events, you can do your counts based on _time (as each transaction will have a unique _time) value.

In your example you could do as follows:

index=ing sourcetype=callcenter | transaction maxpause=30m cif | stats count(value) by _time, cif, value

Which would give you a results set similar to this:

23/07/2013 17:09 userid1 value1 3
23/07/2013 17:09 userid1 value2 2
23/07/2013 17:09 userid1 value3 1

23/07/2013 14:09 userid2 value2 4
23/07/2013 14:09 userid2 value3 2

Each unique value of _time indicates the counts for a single transaction.

emaccaferri · ‎07-26-2013

1003411 27/05/2013 10:40 value1
1003411 27/05/2013 10:41 value1
1003411 27/05/2013 10:43 value2
1008980 27/05/2013 12:21 value1

1008980 27/05/2013 12:21 value2

1008980 27/05/2013 12:21 value3

1008980 27/05/2013 12:21 value2

1008980 27/05/2013 12:23 value3
1008980 27/05/2013 12:23 value3

and so on

ftk · ‎07-24-2013

Do you mind posting a single sample event (before using transaction)? Maybe I am assuming something in my test data that is not present.

emaccaferri · ‎07-24-2013

Yes, that field is extacted at search-time. But I don't understand, how is it possible that for you is working and not for me? I made copy&paste

ftk · ‎07-24-2013

In my answer I assumed that "value" is an extracted field. Is this correct? If it is an extracted field then the search I gave you aggregates the counts fine (I tested it on sample data).

emaccaferri · ‎07-24-2013

This doesn't work either. The result become like
23/07/2013 17:09 userid1 value1 6
23/07/2013 17:09 userid1 value2 6
23/07/2013 17:09 userid1 value3 6

so each value counted like the total number of event for that userid,_time

gregbujak · ‎07-23-2013

Hi emaccaferri, is there any reason you must use multi value? Would a table result be ok:
23/07/2013 17:09 userdi1 value1 3
23/07/2013 17:09 userdi1 value2 2
...

Search, top, count inside a transaction

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life